When Mark Roberts began working at the FBI in 2002, its cyber program was small. “Almost nonexistent,” he says. “And the cases were mostly child pornography.”
Now cyber investigations are a top priority for the FBI, only behind international terrorism and counterintelligence. “Fraud has exploded over the last eighteen years,” says Roberts, a BYU Marriott information systems grad who is part of Salt Lake City’s cyber task force. “Every office has a cybersquad; some have multiple. The number of agents is exponentially higher than when I first started.”
The stats indicate why. In 2001, 325,519 incidents of fraud, identity theft, and the like were reported in the United States. Last year that number totaled 3,200,329, according to the Consumer Sentinel Network Data Book 2019.
“A lot of in-person victimizations have disappeared, and criminals are turning to the internet,” says Roberts, who was initially drawn to the FBI because his uncle was an agent. “It’s a lot safer for them to hide behind a computer, and the chances of getting caught are much lower.”
Fraud is becoming more broadly executed, says Cam Tovey, head of information security for Confluent, and jumping into the scamming sector doesn’t take much skill. “If a unique and complex attack is successful, it gets people interested and becomes available on the dark web,” says Tovey, who earned his BS in information systems from BYU Marriott. “You don’t have to be super knowledgeable; you don’t have to program. You just have to read through a description to buy it and be a jerk.”
Jeff Jenkins, a BYU Marriott associate professor of information systems, notes that, in the earlier days of fraud, a lone hacker trying to make a few quick bucks was typical. “Now there are large, sophisticated fraud rings, where they have great skills and lots of resources,” he says.
Whether at work or at home, the task of outsmarting those who are trying to outsmart you is an ever-changing battle. Carving out time to put a few safeguarding tactics to work for you is well worth the effort.
The one thing all breaches have in common? Employees.
“I can put all kinds of security controls in place,” says Tyler Theys, chief technical officer for BroadWall. “I can stop a lot of viruses and create effective code, but I cannot monitor the human element. People are always the risk, not the virus or the malware. Quite often cybercrime is the result of someone’s actions.”
It’s not that people are stupid or malicious, Tovey adds, they’re just human. “It doesn’t necessarily mean someone is being nefarious,” he says. “It’s usually just an accident, but the consequences can still be pretty bad.”
Seemingly innocent emails, typically from a family member or trusted coworker, can be fishy. Often a password or credit card number request—or even just an invitation to open a document or click on a link—is actually a type of fraud called phishing. “It’s easy to make an email look like it’s coming from your mom,” Jenkins says.
Staying safe means staying skeptical. Be suspicious of entities claiming to be PayPal or Amazon that send emails warning of account issues. Instead of clicking on the enclosed links, go directly to the specific website, log in, and see if similar messages can be found there.
If an email is not from an organization you have an account with, that’s an even more obvious sign someone is out to get you—hook, line, and sinker.
Once an organization’s email is compromised, it’s easy for fraudsters to monitor company messages and wait for the right moment to insert themselves with a fake email under the guise of a coworker, requesting a large wire transfer to a fake account.
“We’ve seen companies lose hundreds of thousands of dollars, and you can imagine the impact that could have on a small business,” says Roberts. “One comes to mind where $20 million was lost.
“If we’re notified quickly there’s a decent chance we can get it back—we did with the $20 million,” he continues. “But if there’s a few days’ lapse, tracking down the money is much harder. If funds are wired domestically, they can be gone within hours.”
Scammers know that a perfect time to pounce is when executives are out of the office or traveling; employees don’t want to bother their vacationing boss or coworker. “Businesses need a process to verify their wire transfers to avoid this type of fraud,” Roberts says. “Without that, these cases can go on for months without people figuring it out.”
Doing the Two-Step
“Two heads are better than one” is an adage that can potentially spare unnecessary headaches. Where there is too much autonomy, the likelihood of fraud increases. “If I’m going to commit fraud, I want to be in charge of that whole process,” Tovey observes. “Separating duties is one of the big controls for financial fraud.”
Small businesses often run lean, so they have to work on a model of trust, he explains. “Security is always a balance. It’s expensive, like buying insurance. If you’re a small business, then you have to make a tough choice about what to invest in,” he says.
This is where dual authorization comes in. Does a wire need to be sent or a check cut? Have the controller and the supervisor sign off. Similarly, have a rule that emailed financial instructions must also be verbally verified, just in case the request is phony.
Schooled in Security
Theys believes combating the human element should be focused on three basic areas: instituting policies, training employees, and empowering employees.
Having policies on how to utilize technologies is paramount, Theys notes. These rules often mean extra to-dos for employees, but it’s the little things, such as changing passwords, that help an organization run smoothly.
After policies have been set, follow up with regular security training to avoid unfortunate situations. “Security isn’t just an annual training,” Jenkins says. “It’s reminders in the break rooms and activities where you role-play.”
One effective exercise, says Roberts, may be to send out a mock phishing email, followed up with a kind conversation with those who take the bait.
Once employees are schooled in security, the next step is to empower them. “Listen to your users, understand where they’re challenged, and figure out a way to enable them without lessening their abilities,” Theys says. If this doesn’t happen, he continues, users will find ways to do their jobs, even if it means circumventing the organizations’ rules, which may come back to bite you.
Got Your Back
Another area of concern is data backup—or the lack thereof.
“I’m shocked that a lot of companies don’t have backups of critical data,” Roberts says. “In this day and age, there is no good excuse not to have either cloud storage or large hard drives.”
Backing up data not only safeguards a company against computer viruses but also protects the organization against ransomware: when hackers infiltrate a company’s network, steal its data, and demand a payment to regain access.
“Ransomware seemed to go dormant for a while, but recently it surged back up,” Roberts says. “The encryption is at such a level, there is no way to decrypt a file.”
Tovey adds, “If you’re in trouble and decide to pay the ransom, you have no guarantees that you’ll really get your data back.” Ransomware can be a nonissue, however, if companies have their data backed up.
Let’s say you stumble upon a stray USB in the parking lot. It may seem altruistic to plug it into your computer and try to figure out which coworker it belongs to. But this could be a sneaky way for a hacker to infiltrate and compromise your organization’s network, Tovey says. Like opening a sinister link or attachment, the USB could be a way to install malicious files on your computer in order to steal confidential information.
Passwords and Beyond
We may see the end of passwords as we know it. New technology is enabling computers to recognize the typing cadence and mannerisms of its users.
“There are all kinds of uniqueness in the way people type,” says Tovey. “Not just your speed, but maybe you only use the shift key with your left hand and the space bar with your right hand.” Profiling an individual’s typing style, also known as keystroke dynamics, is another way of ensuring that the people logging on are legitimate.
Similarly, behavioral analytics—how users interact with websites versus a scammer’s interactions—has also been shown to be effective. “Data is king in detecting fraud, especially in ecommerce and financial institutions,” Jenkins says. “There are indicators, like how someone fills out a form, that may suggest they’re not who they say they are.”
Cut Some Slack
Instant messaging is a quick way to connect with coworkers, but it’s not immune from rules of safe communication practices.
“There have been cases where organizations had their Slack accounts compromised,” Tovey says. “It’s the modern-day water cooler, especially in the COVID universe.”
In these spaces, people often say things that are more casual and relaxed, he continues, and those conversations could be hacked and made public. Instant messages could also be potentially subpoenaed. Be cautious with the info you share via this medium.
Many of the rules that apply in the organizational realm cross over into the home.
“Absolutely educate your kids,” Theys says. “As businesses train employees, a great statement to include is, ‘Don’t hesitate to share this information with your family and friends.’”
And just as a business should back up its files, you should have somewhere to turn when family photos and other valuable information is at stake. “At some point your computer will die, and you will need to get that data back,” Jenkins warns. “It will happen.”
Guard Your Greenbacks
Checking your bank and credit card accounts takes only a few minutes, but monitoring them daily is one of the top ways you can be vigilant. “Whenever there’s a purchase on a credit card, I get a text,” Jenkins says. “No one is going on a shopping spree without me knowing.”
When it comes to online shopping, Tovey says credit cards are the best way to go. “If a fraudulent charge hits your bank account first and then your mortgage goes out, you could be bouncing checks and accruing fees,” he points out. “But when you use a credit card, you can dispute a bad charge and go about your normal purchasing without bouncing checks.”
In the last few years, the United States has largely moved from swipe to chip credit cards, which was a direct response to fraud. The good news? Making fake credit cards is harder now. “It hasn’t solved the problem, but it solved an enormous part of the problem,” Jenkins says.
You’ve heard it before, but now is the time to sit down and make it happen: create long passwords that are Superman strong, and store them in a password manager.
“Having strength to your password stops a lot of issues,” Theys says, “and using the same password for multiple sites is a no-no.”
Examples of huge breaches and people losing everything because of reusing passwords are plentiful, Jenkins adds: “Use two-factor authentication wherever you can. I have it on every one of my bank accounts.”
Also teach your kids about picking—and protecting—good passwords. “Don’t let your children share their phone passcodes with friends. Friends are cute, but they make bad choices,” Tovey says.
On the Rocks
Freeze! The three main credit bureaus (Trans-Union, Equifax, and Experian) offer freezing services for credit score reports in hopes that it will stop identity thieves from opening fraudulent accounts.
Placing a credit freeze is easy, and if you need to temporarily unfreeze it—say, if you’re applying for a new car loan—it takes only a minute to lift the restriction.
Credit freezes are a good option for children too. “It’s a free service, so freeze all your kids’ credit,” Jenkins says. “You don’t want someone taking out loans in their names.”
Tweaking the Truth
Yes, lying is undesirable. However, fudging your birthday on social media can help restrict crooks’ access to an important piece of identifying information if they happen to infiltrate your account.“Anonymizing your data as much as you can is a good surface protection,” Theys says. “The less the greater internet knows about me, the better.”
Receiving birthday wishes is one reason people still keep their Facebook account active, but think of how much fun it would be to receive well wishes a day or two early. It will be our little secret.
Money Where Your Mouse Is
Who doesn’t love finding a good deal online? But what if it’s too good to be true?
“I wanted a 360-degree camera,” Jenkins says. “I found a website that listed it for half the price, and in the rush of the excitement to get a good deal, I entered my credit card and hit submit.”
But then Jenkins started to feel uneasy about his online find. “I googled the company and found out it was a fraudulent site, so I called my credit card company to cancel it,” he says.
Moral of the story: Before you proceed to checkout, dig a little deeper on sites you’re not familiar with.
A growing—and devastating—type of fraud happens when impostors infiltrate communications with a soon-to-be homeowner.
“If a title company or loan processor’s email gets compromised, the attackers will simply watch the communication and when it’s ready, they’ll jump in and say, ‘Here’s the wire transfer information.’ They’re nefarious and sneaky,” Tovey says.
As with business wire fraud, any time you need to transfer money, Tovey recommends using an out-of-band communication, or a different means of communication, to confirm the transfer. You can call the person directly or reach out to them by email or text.
“This approach is such an easy way for scammers to get a lot of money in a short amount of time,” Roberts says.
Often it’s the path of least resistance that makes people the most vulnerable. “Humans do everything we can to make our lives easier, which opens us to fraud of any kind,” Theys says.
By committing time, operating with a healthy dose of skepticism, and staying on top of the latest scams, you’ll be able to guard your family and stay out of hot water at work.
“Digital fraud is a real thing; you’ve got to protect yourself at all angles,” Theys says. “It can affect your name, reputation, bottom line. When you protect yourself, it makes it more difficult for bad actors to mimic who you are.”
Article written by Emily Edmonds
Photography by Bradley Slade
About the Author
Emily Edmonds is a former editor of Marriott Alumni Magazine. She is considering letting her toddler create all her passwords from now on.